ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang

Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

Introduction  Add-on Cross Site Scripting (XSS) Attacks  A sentence using social engineering techniques  Javascript:codes  For Example, on April 25, 2013, over 70,000 people have been affected by one such Add-on XSS attack on tieba.baidu.com.

Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

Background

A Motivating Example

Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

Expriments  Experiment One: Measuring Real-world Attacks  Experiment Two: User Study Using Amazon Mechanical Turks  Experiment Three: A Fake Facebook Account Test

Experiment One  Data Set:  Facebook: 187 million wall posts generated by roughly 3.5 million users  Twitter: 485,721 Twitter accounts with 14,401,157 tweets  Results  Facebook  Twitter CategoryDescription# of distinct samples Malicious BehaviorRedirecting to malicious sites Redirecting to malicious videos 40 3 Mischievous Tricks Sending invitations to friends Keep popping up windows Alert some words Benign BehaviorZooming images Letting images fly Discussion among technicians Total58 CategoryDescription# of distinct samples Malicious BehaviorRedirecting to malicious sites Including malicious JavaScript 2525 Benign BehaviorChanging Background Color Altering Textbox Color 1111 Total9

Experiment One – Discussion  Beyond Attacks in the Wild:  More Severe Damages Stealing confidential information Session fixation attacks Browser Address Bar Worms  More Technique to Increase Compromising Rate Trojan – Combining with Normal Functionality Obfuscating JavaScript Code  So we have experiment two.

Roadmap  Introduction  Background and Motivation  Experiments  Experiment One  Experiment Two  Experiment Three  Discussion  Related Work  Conclusion

Experiment Two  Methodology  Survey format Consent form Demographic survey Survey questions  Comparative survey changing one parameter but fixing others  Question sequence randomization  Platform: Amazon Mechanical Turk

Experiment Two  Results  Percentage of Deceived People According to Different Factors  Percentage of Deceived People According to Age  Percentage of Deceived People According to Different Spamming Categories  Percentage of Deceived People According to Programming Experiences  Percentage of Deceived People According to Years of Using Computers FactorWithout the factorWith the factor Obfuscated URL29.4%38.4% Lengthy JavaScript38.4%40.4% Combining with Benign Behavior 37.1%40.0% Typing “JavaScript:” and then Pasting Contents 38.2%20.3%

Experiment Two  Results  Percentage of Deceived People According to Age  Percentage of Deceived People According to Different Spamming Categories  Percentage of Deceived People According to Programming Experiences  Percentage of Deceived People According to Years of Using Computers AgeRate Age <= % 25 < Age <= % 30 < Age <= % Age > %

Experiment Two  Results  Percentage of Deceived People According to Different Spamming Categories  Percentage of Deceived People According to Programming Experiences  Percentage of Deceived People According to Years of Using Computers CategoryRate Magic (like flying images)38.4% Porn (like sexy girl)36.3% Family issue (like a wedding photo) 52.7% Free ticket29.2%

Experiment Two  Results  Percentage of Deceived People According to Programming Experiences  Percentage of Deceived People According to Years of Using Computers Programming ExperienceRate No38.4% Yes, but only a few times36.3% Yes52.7%

Experiment Two  Results  Percentage of Deceived People According to Years of Using Computers Years of Using ComputersRate < 5 years56.7% 5 – 10 years41.1% 10 – 15 years28.0% 15 – 20 years24.3%

Roadmap  Introduction  Background and Motivation  Experiments  Experiment One  Experiment Two  Experiment Three  Discussion  Related Work  Conclusion

Experiment Three  Experiment setup  A fake female account on Facebook using a university address.  By sending random invitations, the account gains 123 valid friends.  Experiment Execution  We post an add-on XSS sample. Description: a wedding photo JavaScript: show a wedding photo and send an request to a university web server  Result 4.9% deception rate.

Experiment Three  Comparing with experiment two – why is the rate much lower than the one in experiment two?  Not everyone has seen the status message.  The account is fake and thus no one knows this person.

Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

Discussion  The motives of the participants  We state in the beginning that we will pay those participants no matter what their answers are.  Can we just disable address bar JavaScript?  There are some benign usages.  Ethics issue  No participant is actually being attacked.  We inform the participants after our survey.

Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

Related Work  Human Censorship  Slow  Disabling Address Bar JavaScript  Dis-function of existing programs  Removing the keyword – “JavaScript”  Problem still exists (a user can input himself)  Defense on OSN Spam  High False Negative Rate

Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion

Conclusion  Add-on XSS combines social engineering and cross- site scripting.  We perform three experiments:  Real-world Experiment  Experiment using Amazon Mechanical Turks  Fake Facebook Account Experiment  Researchers and browser vendors should take actions to fight against add-on XSS attacks.

Thanks! Questions?